SVE-2016-7930: Multiple buffer overflows in Samsung Galaxy bootloader

Posted on Sun 23 July 2017 in Advisory • Tagged with vulnerability, advisory, samsung, cellebrite, bootloader, exploit, firmware, security, usb, arm, odin

Prequel

On October 21st 2015, mobile forensics company Cellebrite published a video that demonstrates how their solution can dump eMMC of Samsung Galaxy devices :

This video strongly suggests that Samsung Galaxy bootloader can be exploited to execute arbitrary code.

Summary

Several bugs in Samsung Galaxy bootloader allow an attacker with …


Continue reading

Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM

Posted on Wed 05 October 2016 in Article • Tagged with vulnerability, amlogic, arm, security, firmware, trustzone, bootrom, bug

The Amlogic S905 System-On-Chip is an ARM processor designed for video applications. It's widely used in Android/Kodi media boxes. The SoC implements the TrustZone security extensions to run a Trusted Execution Environment (TEE) that enables DRM & other security features :

S905 block diagram
Amlogic S905 System Block Diagram

The SoC contains a Secure …


Continue reading

Analysis of Nexus 5 Monitor mode

Posted on Thu 25 December 2014 in Article • Tagged with arm, security, qualcomm, firmware, android, nexus, trustzone

This article will first describe how to locate the Monitor mode code in Nexus 5 firmware (hammerhead-ktu84p-factory-35ea0277, bootloader-hammerhead-hhz11k : c32f8bec310c659c1296739b00c6a8ac). Then, we will try to understand what it does (its functionalities). Finally, you will have to find bugs by yourself because I didn't find any...so far !

Note: Terms (Non-)Secure …


Continue reading

pflupg-tool : unpack Philips SmartTV firmware

Posted on Fri 16 May 2014 in Tool • Tagged with mips, smarttv, firmware, philips

pflupg-tool is an unpacking tool for Philips SmartTV firmware (Fusion platform). If your firmware is encrypted, you have to provide the corresponding public key (public exponent + modulus).

You can add public keys in pflupg.h file:

#define PUBLIC_KEYS_CNT 2
// { name, public exponent e (hex string), modulus n (hex string)}
static …

Continue reading